On Wed, 2004-10-06 at 16:24 -0700, Nathan Grennan wrote: You can copy instead of moving, that will cause the newly created file to inherit the target directory's security context. It's a good thing that a bit of work is required to expose your personal data to the web server. If you upload via FTP directly to the web site, then it will Just Work. If you upload to your home directory and then rename to the website directory (which seems rather odd to me), then yes, you will need to relabel. And normal users can do this, just run: chcon -t httpd_user_content_t filename You can disable SELinux protection just for Apache if you like, run system-config-securitylevel.

On Thu, 2004-10-07 at 03:07, Nathan G. Grennan wrote: The mv command preserve protections by default, as expected. A similar issue would arise if the original ownership and mode bits on the file prior to moving prevented access by apache, right? As above, do you expect mv to rewrite the DAC ownership and mode bits when you move a file to /var/www/html? And note that the pathname by which you access a file tells us nothing useful about its protection requirements; a single file may have many names via multiple hard links, bind mounts, etc, and letting people bypass protection by using a different name is a classic security flaw. And they already have to deal with setting mode bits. Running restorecon on the file as an extra step is just an education issue. Improved transparency is certainly a good thing, but you are imposing an unfair requirement on SELinux that does not exist for the existing DAC protections and total transparency would just mean no protection at all. -- Stephen Smalley <sds(a)epoch.ncsc.mil&gt; National Security Agency

On Thu, 2004-10-07 at 11:41, Nathan Grennan wrote: http://www.nsa.gov/selinux/papers/inevit-abs.cfm -- Stephen Smalley <sds(a)epoch.ncsc.mil&gt; National Security Agency

On Thu, 07 Oct 2004 08:41:30 -0700, Nathan Grennan I think there is a strong point about complexity of the settings space. The fact that ownership permission and umask use a small finite settings space makes the ui for changing those settings managable across a number of tools. For example lftp client understands chmod. does it understand restorecon? I think there is a point here too.. but let me rephrase it by asking a question. Is there ever any value in having files in a path NOT be the correct security context for that path? If there is never any value in leaving security contexts 'stale' after a mv operation, and it is always expected that a user will be required to run restorecon for useful operation. It seems reasonable to me that mv should be applying the correct context for the new path location automatically. Are there tools in userspace with 'reasonable' ui that would let a user manually change context on a subset of files contrary to what restorecon would do? If there is a lack of tools that let users delibrately create out of sync security contexts, thats a major difference between how ownership and permissions are handled. -jef"notice all those if's....."spaleta

On Thu, 2004-10-07 at 12:56 -0400, Stephen Smalley wrote: The point of the original question (as I interpreted it), is there value in having mv, rename, and similar operations not update the file's security context to the correct one of the new path? In the case where the file *should* have a different security context than other files have by default in that path, then the user/admin can manually change things. The common operation should have the expected result. So, the question is, shouldn't the desired behavior of the mv, rename, and similar operations be to update the context of the file by default? Most people do not complain about MAC due to the fact that it does what it does. Most complaints on SELinux are because it's far too complex to get it to do what it does. Complexity is the bane of security. Lack of education on security is the biggest security problem of them all. SELinux adds a lot of complexity and increases the amount of education a user/admin needs to operate a secured system. The SELinux configuration syntax makes it vastly too difficult to configure things for the common case. The format makes it possible to do just about anything, yes, but when you just know that binary foo only needs to do X and Y to files A and B, it requires an extensive background in SELinux to be able to configure properly. Simplifying the config syntax could make SELinux far more usable. The current syntax requires the admin to think in terms of SELinux mechanics, not in terms of what they want the system to do. You can't just write "/bin/foo can only perform read operations, and only on /etc/foo.rc," you need to write, "/bin/foo is this context, /etc/foo.rc is this context, and the traits between these are this" and so on. Low-level implementation details are directly exposed. It's a poor design that only makes sense to the SELinux designers. Think user interface design and usability. The config files are the SELinux user interface exposed to administrators. It should be a syntax and format that is ideal for how administrators think and the work they want to do, not a syntax and format that is ideal for SELinux developers. A security system that is too complicated to use properly can be a lot worse than a weaker security system that its users can easily understand and configure. Design the exposed UI for the end users of the system. Don't just expose the raw UI that developers understand. And the config files are definitely UI. -- Sean Middleditch <elanthis(a)awesomeplay.com&gt; AwesomePlay Productions, Inc.

Not only can this type of analysis not be done on the existing DAC mechanism, if it could that answer could change at any time. With SELinux we can answer questions like this and know that the answer will remain the same as long as the policy doesn't change. Also, the flow of information in a system can help you answer many interesting questions beyond the disclosure of sensitive information. For example, integrity questions like who/what can write information to the config files for trusted applications. Karl Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134

Steve - I agree with you here. The underlying policy language does a good job of representing the SELinux model, but policy writers need some tools and frameworks to allow them to work at a higher level and more directly encode the security goals they care about. This might, for example, allow them to focus on how information flows through an email relay so that they can ensure that every email must pass through a virus scanner. For an experienced policy writer, I assert that it is fairly straightforward to accomplish this in the existing policy language, but for others some more support is necessary. We are actively working on this problem and have some interesting concepts in development. I hope that we will have something more concrete to share in the coming months. Karl Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134

On Thu, 2004-10-07 at 08:41 -0700, Nathan Grennan wrote: Not to put SELinux in bad company, but the level of security provided by SELinux is very similar to what is provided by the Windows NT/XP security system and that doesn't seem to bother people too much. Of course, MS essentially turns it off to prevent that! I think the crux of this thread is that there are likely to be cases (especially short-term) where SELinux poses a burden. While some of these cases may be reasonably common (hosting customers FTP-ing up files, etc), I really don't think they justify disabling SELinux as a whole out-of-the-box. If RH was to do that, they might as well stop spending any time developing SELinux and all of us Fedora users might as well stick with the standard UNIX security system. If you find that SELinux doesn't work in your environment due to various reasons, it is quite easy to disable it though a much better alternative would be to work with the RH folks to get it to work properly in your environment. And don't forget - that may mean changing some of YOUR practices to make it work. -- David Hollis <dhollis(a)davehollis.com&gt;

On Thu, 2004-10-07 at 19:00, Stephen Smalley wrote: while that is true it sure should be possible to have a policy that can be used by default and doesn't change existing "this works" practice. Even if that policy allows a bit more than you would want.

On Thu, 2004-10-07 at 19:11 +0200, Arjan van de Ven wrote: If such a policy can me made I would be happy. In the beginning I thought SELinux sounded good, but experience with it suggests that writing policy to such a fine-grained is just too labor intensive and problematic.

On Oct 7, 2004, at 18:40, David Hollis wrote: That's esentially wrong. Windows does support Discretionary Access Control which, althogh it's a little bit more advanced than UNIX DAC, it's not Mandatory Access Control. Don't get confused: SELinux is Mandatory Access Control, while uid/gid/masks are Discretionary Access Control. They are such different beasts: With DAC, permissions over resources are managed by their owners (root or users). In a MAC-based system, a policy governs how the system security behaves, and the policy is set up by an administrator and obeyed by everyone.

This can't be stressed enough. SELinux is a disruptive technology, but it is the first time that a security technology that solves some of the fundamental security problems that are plaguing computers is available in a mainstream operating system. Karl Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134

On Thu, 2004-10-07 at 09:20 +0200, Arjan van de Ven wrote: In one of my examples I mention users uploading data via ftp, where that is their only access. They wouldn't be able to restart httpd. Exactly.

On Thu, 07 Oct 2004 09:00:01 -0400, Stephen Smalley <sds(a)epoch.ncsc.mil&gt; wrote: Education about needing to be aware of the contexts now is one issue, but we are going to definitely need to expose the security context information in the tools most people use to check file properties if we want it to be easy to deal with. I know ls in rawhide exposes the contexts via -Z but I haven't poked around with nautilus to see if security context information is exposed there. And of course having nautilus be able to run the restorecon via a right click menu entry on a directory or file is going to be needed for smooth operation for a segment of the userbase. And are there any tools aimed at helping users figure out what file security context settings are needed for specific service/daemons? -jef

On Thu, 2004-10-07 at 10:01, Kenneth Porter wrote: find /etc -context system_u:object_r:shadow_t -print find /etc -printf "%p %Z\n" But a better tool for this purpose is likely setfiles, e.g.: /usr/sbin/setfiles -qnv /etc/selinux/targeted/contexts/files/file_contexts /etc /sbin/fixfiles check is similar, but seems to only log to a file (fixfiles is a script written by RedHat that calls setfiles internally). -- Stephen Smalley <sds(a)epoch.ncsc.mil&gt; National Security Agency

Once upon a time, Stephen Smalley <sds(a)epoch.ncsc.mil&gt; said: Lots of web users use FTP to upload files. FTP has a chmod command; it does not have commands to alter SELinux labels (and even if such commands were added, you aren't liable to get WSFTP and such to change just to support a few Linux servers). Not all users have shell access either. -- Chris Adams <cmadams(a)hiwaay.net&gt; Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.

--On Thursday, October 07, 2004 10:27 AM -0400 Stephen Smalley <sds(a)epoch.ncsc.mil&gt; wrote: Does FTP support moving? If not, then the issue of not having shell access goes away, because the user can't upload and then move.

On Thu, 2004-10-07 at 10:30 -0500, Chris Adams wrote: I think that explaining what your users need to do for SELinux in this case is quite similar to explaining execute permissions. CGI scripts for example in the default Apache policy need to be httpd_user_script_exec_t. CGI script data needs to be httpd_user_script_ro_t or httpd_user_script_rw_t. There's no way for SELinux to automatically guess what data you want writable by the CGI and what you don't. You simply need to have users be aware of chcon -t if you want the additional security. Although: There could be higher level tools built here that would automatically set corresponding types when a new site is uploaded. You'd have your users upload their website into a "staging" area, and then a cron job would move it into place atomically and relabel it as necessary. I think it'd also be very useful to have tools that parsed the SELinux audit logs and warned an administrator if a user's web site seemed not to be set up correctly; you could even have it automatically relabel there too, but there are tradeoffs.

On Thu, 2004-10-07 at 17:36 +0100, Joe Orton wrote: That's absolutely true. We're trying to fundamentally improve Linux security here, and people will have to learn new things. But with the targeted policy and boolean support, it's also extremely easy to turn off enforcement just for Apache if you like; run system-config- securitylevel or setsebool httpd_disable_trans true. Yet another alternative is to just run in permissive mode and figure out what you need to change to alter the policy for your needs.

On Thu, Oct 07, 2004 at 04:33:34PM -0400, Colin Walters wrote: I'm just not convinced it's the right decision to apply SELinux policy to Apache *by default*. New administrators have enough problems trying to configure stuff as it is, without placing this invisible tripwire in front of them. It won't endear people to FC3 as a good web server platform if the PHP, CGI scripts etc, hell, even running httpd -t "just doesn't work" out of the box when it did in past releases. They will go back to "chuck away the packaged stuff and build from sources" as that'll be the first thing people will tell them when they ask the mailing lists and IRC channels. joe

On Fri, 2004-10-08 at 10:58 -0600, Stephen J. Smoogen wrote: Far better to just disable protection for Apache using system-config-securitylevel.

On Thu, Oct 07, 2004 at 09:25:26AM -0500, Chris Adams wrote: Switch to DAV maybe? FTP sucks for all sorts of other reasons... :-) Steve -- Steven Pritchard - K&S Pritchard Enterprises, Inc. Email: steve(a)kspei.com http://www.kspei.com/ Phone: (618)398-3000 Mobile: (618)567-7320

On Thu, Oct 07, 2004 at 09:52:33AM -0500, Rex Dieter wrote: The *client* doesn't care about ~user directories. Having a DAV server which can manipulate files in ~user directories under ownership of said user requires running the server as root, which is really not something you want to do. joe

On Thu, Oct 07, 2004 at 04:49:10PM +0100, Joe Orton wrote: Your apache needs to have setfsuid rights, that is all

On Thu, Oct 07, 2004 at 05:41:38PM +0100, Joe Orton wrote: You have control over how its inherited depending on whether you admit to being capability aware or not. In the sane case you'd turn it off when execing just as you make sure files all get closed. Alan

On Thu, Oct 07, 2004 at 07:58:20PM +0100, Joe Orton wrote: That would be a problem yes. You'd end up with apache able to access any files in the system. I guess mod_webdav should never have been mod_

On Thu, Oct 07, 2004 at 03:14:23PM -0400, Colin Walters wrote: I don't see how this makes sense with HTTP. The code with the buffer overflows is the HTTP parsing and SSL handling. THat's also the code which you must trust to determine what "user context" a request might be for. joe

Hi. Steven Pritchard <steve(a)silug.org&gt; wrote: If it takes selinux to make ftp go away, I'm all for it. -- Dare to slack: When birds fly in the right formation, they need only exert half the effort. Even in nature, teamwork results in collective lazyness. -- Despair Inc. calendar, May 2001